Strategies to confront the rising democratization of IT

How employee’s use of cloud services are changing the way IT handles security

Cloud computing has given business users the power to use sophisticated cloud services without the need to go through IT. Well-meaning employees do not think about the potential risks associated with the cloud. Software as a Service (SaaS) offerings like Facebook, Dropbox Flickr, Google’s Pircasa, or LinkedIn are commonly used by everyone from college users to business leaders. Security and risk are far from the minds of most business users.

Cloud services can be a productivity boom for business users and has resulted in a shift in the balance of power between business users and IT. This has left IT frustrated. IT leaders have an obligation and legitimate right to protect valuable corporate assets like IP. Therefore, it is not surprising that IT is struggling to give users access to the tools they need while keeping corporate networks safe.

Cloud service providers focus on marketing their offerings to individuals rather than corporations.. This means that things like corporate governance, enterprise level security and service level agreements (SLAs) have been ignored in favor of usability and delivering a “freemium” offering (free for basic services, then fees for more functionality or storage). In fact, if something goes wrong, such as a data breach or service disruption, these vendors typically have no intention to take any financial or legal liability. In a perfect world, IT would be able to dictate what cloud services employees are allowed to use; however, the reality is the cat is out of the bag and there is no going back. What can an organization do to protect its IP in a secure and responsible way?

1.Understand new technologies and quickly develop a strategy. IT should be proactive in understanding the security implications of new technologies that employees are likely to bring into the workplace and be prepared to develop a strategy to manage the risks. For example, several years ago companies found themselves struggling to create policies regarding camera phones. Some organizations banned them altogether, while others only restricted their entrance into sensitive areas. In many cases employers have employees sign an acceptable use policy (AUP) which clearly outlines what’s permissible and what the consequences are for breaking the policy. An example of how a company is handling employee use of new technology is IBM’s recent announcement that they are prohibiting employees from using Apple’s Siri.

2. Embrace new offerings. Understanding the risks of new technologies is important, but IT must be willing to add support for new offerings if they have provide significant advantages. For example, IT might notice that many of its business users are using Dropbox to internally share files. Shutting down access to the service, even if it’s outside of the acceptable use policy, can be viewed by users as an extreme measure which will disrupt productivity. Instead of immediately blocking access to non-approved applications, IT should investigate how and why employees are using the service, and identify the risks. If the risks are too great, more secure alternatives should be offered to employees. This approach requires that IT must work closely with business users to understand the value of a new cloud offering and how it is increasing productivity to help reach business objectives. For example, IT might determine that the risk of a service like Dropbox isn’t secure enough and can recommend a more secure alternative. VMware’s Project Octopus offers functionality similar to Dropbox, but is designed for enterprise use. The product can crawl through a business’ network converting Dropbox accounts to Octopus accounts. Project Octopus allows for much more control over the data than Dropbox, for example by allowing files to be stored on an organization’s choice of a public or private cloud.

3. Educate employees. Education is the best way to help avoid the security problems that occur when users bring untested cloud services and other new technologies into the workplace. Employees most likely have the best intentions in mind when making use of public cloud services for business projects and are simply unaware of the security implications. Security has always been in the domain of IT, and business users aren’t accustomed to thinking about the risk implications of using these offerings. By educating and working closely with business users, IT is able to explain the risks that cloud services can pose, and why IT sometimes appear slow to adopt new technologies.

4. Monitor and understand your data. Data leaks and thefts pose a significant risk to organizational profitability and success. IT must do an inventory of data to understand where it is stored and which files contain sensitive information. Once the data is well understood, role-based access controls (RBAC) should be implemented to maintain tight control over sensitive data. An effective RBAC strategy requires a clear understanding of both organizational data and user groups. For example, in many industries such as retail, health care and education, organizations are legally bound to protect personally identifiable information (PII). At the same time, a high priority must be made to protect IP, for example product research and development.. Applying these controls can be difficult. Staff at a call center need access to customer addresses and order histories, but shouldn’t have access to research for a new product. Likewise, other corporate users should not be able to access customer PII.

5. Thoroughly vet cloud service providers. Organizations must only adopt new cloud services that meet their security and compliance requirements. A standard approval process should be developed in order to streamline the evaluation process. To assist with the approval process and meet customer demand, many cloud providers have been compelled to get third party assurances.. For example, Amazon Web Services (AWS) has SSAE 16 and ISO 27001 certifications and offers enough controls to build HIPAA compliant applications. Many other cloud services offer similar certifications, such as Salesforce.com, box, and Workday.